diff options
| author | Robin Gloster <mail@glob.in> | 2016-07-25 16:07:53 +0000 |
|---|---|---|
| committer | Robin Gloster <mail@glob.in> | 2016-07-28 11:59:13 +0000 |
| commit | a294ad01b38d9108e02d18aa9788143c15d1e151 (patch) | |
| tree | c1760cce29628ca883751b4d84cb573a4808f132 /nixos/modules/services/web-servers | |
| parent | 186a8400ed80f08d977d8c2d94644d4027b11f45 (diff) | |
| download | nixlib-a294ad01b38d9108e02d18aa9788143c15d1e151.tar nixlib-a294ad01b38d9108e02d18aa9788143c15d1e151.tar.gz nixlib-a294ad01b38d9108e02d18aa9788143c15d1e151.tar.bz2 nixlib-a294ad01b38d9108e02d18aa9788143c15d1e151.tar.lz nixlib-a294ad01b38d9108e02d18aa9788143c15d1e151.tar.xz nixlib-a294ad01b38d9108e02d18aa9788143c15d1e151.tar.zst nixlib-a294ad01b38d9108e02d18aa9788143c15d1e151.zip | |
nginx module: make recommended settings optional
Diffstat (limited to 'nixos/modules/services/web-servers')
| -rw-r--r-- | nixos/modules/services/web-servers/nginx/default.nix | 116 |
1 files changed, 73 insertions, 43 deletions
diff --git a/nixos/modules/services/web-servers/nginx/default.nix b/nixos/modules/services/web-servers/nginx/default.nix index 6b6ad0d9b985..c8486d3bfcd0 100644 --- a/nixos/modules/services/web-servers/nginx/default.nix +++ b/nixos/modules/services/web-servers/nginx/default.nix @@ -16,61 +16,65 @@ let error_log stderr; daemon off; - ${cfg.config} - http { include ${cfg.package}/conf/mime.types; include ${cfg.package}/conf/fastcgi.conf; - # optimisation - sendfile on; - tcp_nopush on; - tcp_nodelay on; - keepalive_timeout 65; - types_hash_max_size 2048; + ${optionalString (cfg.recommendedOptimisation) '' + # optimisation + sendfile on; + tcp_nopush on; + tcp_nodelay on; + keepalive_timeout 65; + types_hash_max_size 2048; + ''} - # use secure TLS defaults ssl_protocols ${cfg.sslProtocols}; - ssl_session_cache shared:SSL:42m; - ssl_session_timeout 23m; - ssl_ciphers ${cfg.sslCiphers}; - ssl_ecdh_curve secp384r1; - ssl_prefer_server_ciphers on; ${optionalString (cfg.sslDhparam != null) "ssl_dhparam ${cfg.sslDhparam};"} - ssl_stapling on; - ssl_stapling_verify on; - - gzip on; - gzip_disable "msie6"; - gzip_proxied any; - gzip_comp_level 9; - gzip_buffers 16 8k; - gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; - - # sane proxy settings/headers - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Server $host; - proxy_set_header Accept-Encoding ""; - - proxy_redirect off; + ${optionalString (cfg.recommendedTlsSettings) '' + ssl_session_cache shared:SSL:42m; + ssl_session_timeout 23m; + ssl_ecdh_curve secp384r1; + ssl_prefer_server_ciphers on; + ssl_stapling on; + ssl_stapling_verify on; + ''} + + ${optionalString (cfg.recommendedGzipSettings) '' + gzip on; + gzip_disable "msie6"; + gzip_proxied any; + gzip_comp_level 9; + gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; + ''} + + ${optionalString (cfg.recommendedProxySettings) '' + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Server $host; + proxy_set_header Accept-Encoding ""; + + proxy_redirect off; + proxy_connect_timeout 90; + proxy_send_timeout 90; + proxy_read_timeout 90; + proxy_http_version 1.0; + ''} + client_max_body_size 10m; - client_body_buffer_size 128k; - proxy_connect_timeout 90; - proxy_send_timeout 90; - proxy_read_timeout 90; - proxy_buffers 32 4k; - proxy_buffer_size 8k; - proxy_http_version 1.0; server_tokens ${if cfg.serverTokens then "on" else "off"}; ${vhosts} } + + ${cfg.config} + + # Keep this seperate to allow overriding previous settings ${optionalString (cfg.httpConfig != "") '' http { include ${cfg.package}/conf/mime.types; @@ -157,11 +161,37 @@ in { options = { services.nginx = { - enable = mkOption { + enable = mkEnableOption "Nginx Web Server"; + + recommendedTlsSettings = mkOption { + default = false; + type = types.bool; + description = " + Enable recommended TLS settings. + "; + }; + + recommendedOptimisation = mkOption { + default = false; + type = types.bool; + description = " + Enable recommended optimisation settings. + "; + }; + + recommendedGzipSettings = mkOption { + default = false; + type = types.bool; + description = " + Enable recommended gzip settings. + "; + }; + + recommendedProxySettings = mkOption { default = false; type = types.bool; description = " - Enable the nginx Web Server. + Enable recommended proxy settings. "; }; |